New business continuity standard a hit

A newly-minted British Standard – BS25999 part two – which specifies business continuity best practices is proving a must-have for UK firms who want to demonstrate compliance.

Fear sells. And in business the biggest fear of all is of a disaster that knocks out the ability to serve your customers be it a flood, fire or other catastrophic event. That's probably why a new British Standard released late last year – BS25999 part two – which specifies certifiable business continuity processes, is being enthusiastically taken up by thousands of UK companies.

But what is the likely impact of the standard, what benefits will it bring and what contribution will IT departments have to make to get the BS25999 Kite Mark on their firm's headed notepaper?

Significance and benefits

Business continuity planning is vital, and the ability to convey to potential business partners that you have adequate processes to take care of unforeseen events is becoming equally so.

While BS25999 part one - which outlines the general processes, principles and terminology of business continuity management - has been available since 2006, part two specifies best practice in terms of the people, infrastructure and information flows needed to get a business up and running with minimum disruption if disaster strikes.

It will also make it possible for organisations to have their business continuity management arrangements independently certified by external auditors and so provide stakeholders, customers and insurers with a far greater degree of comfort about the rigour with which its planning was formulated. BS25999 replaces the BSI's Publicly Available Specification PAS 56, which has been available for four years.

The utility Scottish Power began to put in place processes aimed at BS25999 certification nearly two years ago, and expects to generate three-yearly plans using software tools that allow business continuity contingencies to be generated and communicated via its intranet and is working with major suppliers to build compliance into contracts. Banking giant HBOS has also been putting in place procedures aimed at gaining certification for several months now and sees BS25999 compliance as a business differentiator.

That's also the view of Richard Hodkinson, group IT and operations director with law firm Irwin Mitchell, a NetApp storage shop which also has plans to gain BS25999 certification.

"We do a lot for insurers and financial institutions and they are very concerned about data availability and security."
Richard Hodkinson,
group IT and operations directorIrwin Mitchell
"It is critical for our work. We do a lot for insurers and financial institutions and they are very concerned about data availability and security. They don't always ask for these standards by name but they want that level of assurance there," he says.

"We already have [global security standard] ISO270001 certification, which means we have a lot of procedures already in place. This year we will do a gap analysis to see what we need to do to get from ISO270001 to BS25999 and launch a campaign to achieve certification," he adds.

Take up of BS25999 part two is extremely high, says Ron Miller, managing consultant with business continuity specialists, Sungard.

"BS25999 is the most downloaded standard ever and the second most popular standard worldwide, second only to ISO9000. A lot of organizations are taking it to heart, not just in the UK, but globally," he says.

What does BS25999 mean for IT?

BS25999 part two is not solely about the IT department. It addresses business continuity issues more widely, such as do you have alternative premises, what to do it there is a fire in the building and what would you do with staff in those circumstances.

When it comes to IT, BS25999 is not at all prescriptive in terms of technologies or solutions. But, it will certify that decisions have been taken and processes generated and documented and will examine these in light of the appropriate technical requirements, says Sungard's Ron Miller.

"It is a guide to how organizations of all shapes and sizes and business sectors can implement business continuity. There's nothing new in it and it's not rocket science but the sort of thing good practitioners have been doing for years."

"Certification will mean demonstrating to auditors from the certification bodies such as BSI and LRQS that they are complying with part two of the standard and changing the 'shoulds' into 'shalls'. The auditors will be looking for documentary evidence that processes are in place and will bring technical experts with them to ask why particular decisions have been made," he says.

According to Miller, BS25999 is the first risk-based standard. "All previous standards have been process-driven, but BS25999 requires you to demonstrate you've made decisions based on the risk appetite of your business," he says.

"For example, if you have two databases and you've determined one of them to be absolutely critical and the other not so, you would have to show that you have taken technology and process decisions that match what you consider their value to be to your business," says Miller.

After BS25999?

While the ink is barely dry on BS25999 there is another standard on the horizon which will go into more detail about the technologies and procedures needed to keep a business's IT running.

BS25777, which replaces Publicly Available Specification PAS 77 will follow the general model of BS25999, but provide guidance on aspects of IT service continuity management, including risk assessment and planning. Formulation of the standard – which will include far more detailed IT and storage specifications – was initiated late last year, with a draft for comment by summer 2008.

Read more on Disaster recovery